In the Claims : 

Please replace claims 1-5, 7, 9-11, 14, 16. 18-21, 24, 26-29, 31, 33, 35-36, and 41 ( all as 
shown below. 

1 . (Currently Amended): A security system for allowing a client to access a protected 
resource or app li cation, th e protootod app li cat i on or rocouroe i nc l ud i ng through an application 
container, the security system comprising: 

an application interface mechanism for receiving an access request from a client to 
access the said protected app l ication or resource, and communicating the access request to a 
cocurity servic e , wh e rein the c l ient mak e6 tho aoooso requ e st on t he application container, and 
the application container calls the security service with the access request and a callback 
handler; 

a said security service for making a decision to permit or deny the access request, 
wherein the security service includes a plurality of security providers that may be plugged into 
the security service, and wherein the plurality of security providers use the callback handler to 
request context information from the application container for the access request and wherein 
depending on output from each security provider the security service determines entitlements for 
the client to use with the protected appl i cat i on - of resource; 

said security service is located at a first computer, and said orotected resource is located 
either at the same first computer or at a second computer and 

a resource interface for communicating permitted access requests to *e said protected 
app l ication or resource. 
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2. (Currently Amended): The security system of claim 1 wherein the application interface 
mechanism includes an the application container of claim 1 for reading an application deployment 
description and registering the application deployment description within the security service. 

3. (Currently Amended): The security system of claim 2 wherein the application container is an 
Entorprico Jav a B e ans ENTERPRISE JAVABEANS container as defined by the ENTERPRISE 
JAVABEANS specification . 

4. (Currently Amended): The security system of claim 2 wherein the application container is a 
WobApp Web Application container. 

5. (Currently Amended): The security system of claim 1 wherein the security service includes a 
plurality of access decision mechanisms for defining an access policy and for d e term i ni B g - a each of 
the, plurality of access decision mechanism can determine its own contributory decision to permit, 
deny, or abstain from the access request. 

6. (Previously Presented): The security system of claim 5 wherein the security service further 
includes an access controller for transferring the access request to the plurality of access decision 
mechanisms, and for combining the contributory decisions into an overall decision by the security 
service to permit or deny the access request. 

7. (Currently Amended): The security system of claim 5 wherein one or more of the plurality of 
the access decision mechanisms represent a business function related access policy. 
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8. (Original): The security system of claim 5 wherein access decisions may be added to the 
security service to reflect changes in the access policy. 



9. (Currently Amended): The security system of claim 5 wherein the plurality of the access 
decision mechanisms are used to define the entitlements for the client to access the protected 
resource. 

1 0. (Currently Amended): The security system of claim 5 wherein a deny or abstain by any one 
of the plurality of access decision mechanisms causes the security service to deny the access 
request 

11. (Currently Amended): The security system of claim 5 wherein an abstain by anyone of the 
plurality of access decision mechanisms does not cause the security service to deny the access 
request. 

1 2. (Previously Presented): The security system of claim 5 wherein the security service further 
includes an audit mechanism for auditing the determinations of the plurality of access requests, 

13. (Previously Presented): The security system of claim 1 wherein the resource interface 
includes an interface mechanism to pass access requests to or from a protected resource. 

14. (Currently Amended): The security system of claim 13 wherein the interface mechanism 
Includes a Java J2EE security interface as defined by the J2EE specification . 
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1 5. (Previously Presented): The security system of claim 1 3 wherein the interface mechanism 
includes a security provider interface. 

16. (Currently Amended): The security system of claim 1 3 wherein the interface mechanism is 
included as a plusfcin into the resource interface. 

17. (Previously Presented): The security system of claim 1 wherein the security service further 
makes a decision on whether to permit or deny a response to the access request from the protected 
resource to the client. 

18. (Currently Amended): A method of allowing a client to access a protected app l ication 
resource through an Application Container , the method comprising; 

receiving at an application interface mechanism contain e r an access request from a said 
client to access said protected appl i cation resource : 

communicating the access request from the application container to a security service 
together with the access request and a callback handler; 

making a decision at the security service to permit or deny the access request, wherein the 
security service includes a plurality of security providers that may be plugged into the security 
service; 

using the callback handler at each security provider to request context information from the 
application container for the access request; 

determining entitlements for the client to use with the protected app l ic a tion resource 
depending on output from each security provider; and 

communicating a permitted access request through a re source interface to the protected 
app l icat i on resource . 
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1 9. (Currently Amended ): The method of claim 1 8 wherein the application interface mechanism 
of claim 1 8 includes aft- the application container of claim 1 8 for reading an application deployment 
description and registering the deployment description within the security service. 

20. (Currently Amended): The method of claim 19 wherein the application container is an 
Enterpris e Java Boans ENTERPRISE JAVABEANS container as defined bv the ENTERPRISE 
JAVABEANS specification . 

21. (Currently Amended): The method of claim 19 wherein the application container is a 
WobApp Web Application container. 

22. (Previously Presented): The method of claim 18 further comprising: 

defining an access policy via a plurality of access decision mechanisms within the security 
service; and, 

determining at each access decision mechanism a contributory decision to permit, deny, or 
abstain from the access request. 

23. (Previously Presented): The method of claim 22 further comprising: 

transferring via an access controller the access request to the plurality of access decision 
mechanisms, and combining the contributory decisions into an overall decision by the security 
service to permit or deny the access request. 

24. (Currently Amended): The method of claim 22 wherein one or more of the plurality of the 
access decision mechanisms represent a business function related access policy. 
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25. (Original): The method of claim 22 wherein access decisions may be added to the security 
service to reflect changes in the access policy. 

26. (Currently Amended); The method of claim 22 further comprising: 

using the plurality of access decision mechanisms to define entitlements for the client to 
access the protected resource. 

27. (Currently Amended): The method of claim 22 wherein a deny or abstain by any one of the 
plurality of access decision mechanisms causes the security service to deny the access request. 

28. (Currently Amended): The method of claim 22 wherein an abstain by any one of the plurality 
of access decision mechanisms does not cause the security service to deny the access request 

29. (Currently Amended): The method of claim 22 further comprising: 

auditing via an audit mechanism the determinations of the plurality of access requ e sts 
decision mechanisms . 

30. (Previously Presented): The method of claim 18 wherein the step of communicating the 
access request includes passing access requests via an Interface mechanism to or from a protected 
resource. 

31 . (Currently Amended): The method of claim 30 wherein the interface mechanism includes a 
Java J2EE security interface as defined by the J2EE specification , 
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32. (Previously Presented): The method of claim 30 wherein the interface mechanism includes 
a security provider interface. 

33. (Currently Amended): The method of claim 30 wherein the interface mechanism is included 
as a plugnn into the resource interface. 

34. (Previously Presented): The method of claim 18 further comprising: 

making a decision on whether to permit or deny a response to the access request from the 
protected resource to the client. 

35. (Currently Amended): A method for determining user entitlements to access protected 
resources in a secure environment, comprising: 

receiving an access request from a user application to access a protected resource, by 
invoking a security service with the access request and a callback; 

determining user entitlements to access the protected resource, wherein the determining 
includes polling a plurality of security providers that may be plugged into the security service, and 
wherein the plurality of security providers use a callback handler to request context information from 
an application container for the access request; 

making a decision at the security service based on the user entitlements to permit or deny 
the access request; and 

the steps of either 

(a) communicating a permitted access request to the protected resource, or 

(b) denying a denied access request to the protected resource. 
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36. (Currently Amended): The method of claim 35 wherein if the access request is permitted^ 
user entitlements also determines a type of access available to a user of the protected resource. 

37. (Previously Presented): The method of claim 36 wherein the type of access includes any of 
view, modify, delete, or copy, any part or all of the protected resource. 

38. (Previously Presented): The method of claim 35 wherein information about user entitlements 
can be communicated from a first security realm to a second security realm. 

39. (Previously Presented): The method of claim 38 wherein additional information from a first 
security realm can be used to modify the user entitlements, prior to communicating the information 
about user entitlements from the first security realm to the second security realm. 

40. (Previously Presented): The security system of claim 1 , wherein entitlements comprise at 
least one of business logic and functionality entitlements. 

41 . (Currently Amended): The security system of claim 1 , wherein context information comprises 
at least one of the identity of the protected resource or application , one or more values of access 
request parameters and network or internet protocol address of the client. 
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